diff --git a/modules/dns/README.md b/modules/dns/README.md
index d542fd8851..6b3b5607a6 100644
--- a/modules/dns/README.md
+++ b/modules/dns/README.md
@@ -20,8 +20,11 @@ module "private-dns" {
"A localhost" = { records = ["127.0.0.1"] }
"A myhost" = { ttl = 600, records = ["10.0.0.120"] }
}
+ iam = {
+ "roles/dns.admin" = ["group:dns-administrators@myorg.com"]
+ }
}
-# tftest modules=1 resources=3 inventory=private-zone.yaml
+# tftest modules=1 resources=4 inventory=private-zone.yaml
```
### Forwarding Zone
@@ -114,8 +117,11 @@ module "public-dns" {
recordsets = {
"A myhost" = { ttl = 300, records = ["127.0.0.1"] }
}
+ iam = {
+ "roles/dns.admin" = ["group:dns-administrators@myorg.com"]
+ }
}
-# tftest modules=1 resources=3 inventory=public-zone.yaml
+# tftest modules=1 resources=4 inventory=public-zone.yaml
```
@@ -124,18 +130,19 @@ module "public-dns" {
| name | description | type | required | default |
|---|---|:---:|:---:|:---:|
| [domain](variables.tf#L54) | Zone domain, must end with a period. | string | ✓ | |
-| [name](variables.tf#L72) | Zone name, must be unique within the project. | string | ✓ | |
-| [project_id](variables.tf#L83) | Project id for the zone. | string | ✓ | |
+| [name](variables.tf#L78) | Zone name, must be unique within the project. | string | ✓ | |
+| [project_id](variables.tf#L89) | Project id for the zone. | string | ✓ | |
| [client_networks](variables.tf#L21) | List of VPC self links that can see this zone. | list(string) | | [] |
| [description](variables.tf#L28) | Domain description. | string | | "Terraform managed." |
| [dnssec_config](variables.tf#L34) | DNSSEC configuration for this zone. | object({…}) | | {…} |
| [enable_logging](variables.tf#L59) | Enable query logging for this zone. | bool | | false |
| [forwarders](variables.tf#L66) | Map of {IPV4_ADDRESS => FORWARDING_PATH} for 'forwarding' zone types. Path can be 'default', 'private', or null for provider default. | map(string) | | {} |
-| [peer_network](variables.tf#L77) | Peering network self link, only valid for 'peering' zone types. | string | | null |
-| [recordsets](variables.tf#L88) | Map of DNS recordsets in \"type name\" => {ttl, [records]} format. | map(object({…})) | | {} |
-| [service_directory_namespace](variables.tf#L123) | Service directory namespace id (URL), only valid for 'service-directory' zone types. | string | | null |
-| [type](variables.tf#L129) | Type of zone to create, valid values are 'public', 'private', 'forwarding', 'peering', 'service-directory','reverse-managed'. | string | | "private" |
-| [zone_create](variables.tf#L139) | Create zone. When set to false, uses a data source to reference existing zone. | bool | | true |
+| [iam](variables.tf#L72) | IAM bindings in {ROLE => [MEMBERS]} format. | map(list(string)) | | null |
+| [peer_network](variables.tf#L83) | Peering network self link, only valid for 'peering' zone types. | string | | null |
+| [recordsets](variables.tf#L94) | Map of DNS recordsets in \"type name\" => {ttl, [records]} format. | map(object({…})) | | {} |
+| [service_directory_namespace](variables.tf#L129) | Service directory namespace id (URL), only valid for 'service-directory' zone types. | string | | null |
+| [type](variables.tf#L135) | Type of zone to create, valid values are 'public', 'private', 'forwarding', 'peering', 'service-directory','reverse-managed'. | string | | "private" |
+| [zone_create](variables.tf#L145) | Create zone. When set to false, uses a data source to reference existing zone. | bool | | true |
## Outputs
diff --git a/modules/dns/main.tf b/modules/dns/main.tf
index 8c3b56fde8..217ccd441d 100644
--- a/modules/dns/main.tf
+++ b/modules/dns/main.tf
@@ -178,6 +178,16 @@ resource "google_dns_managed_zone" "public" {
}
}
+resource "google_dns_managed_zone_iam_binding" "iam_bindings" {
+ for_each = coalesce(var.iam, {})
+ project = var.project_id
+ managed_zone = (var.type == "public"
+ ? google_dns_managed_zone.public[0].name
+ : google_dns_managed_zone.non-public[0].name)
+ role = each.key
+ members = each.value
+}
+
data "google_dns_keys" "dns_keys" {
count = var.zone_create && (var.dnssec_config == {} || var.type != "public") ? 0 : 1
managed_zone = local.zone.id
diff --git a/modules/dns/variables.tf b/modules/dns/variables.tf
index 5e62489aaf..18a4187ee6 100644
--- a/modules/dns/variables.tf
+++ b/modules/dns/variables.tf
@@ -69,6 +69,12 @@ variable "forwarders" {
default = {}
}
+variable "iam" {
+ description = "IAM bindings in {ROLE => [MEMBERS]} format."
+ type = map(list(string))
+ default = null
+}
+
variable "name" {
description = "Zone name, must be unique within the project."
type = string
diff --git a/tests/modules/dns/examples/private-zone.yaml b/tests/modules/dns/examples/private-zone.yaml
index f642664506..c82f97923c 100644
--- a/tests/modules/dns/examples/private-zone.yaml
+++ b/tests/modules/dns/examples/private-zone.yaml
@@ -48,3 +48,4 @@ values:
counts:
google_dns_managed_zone: 1
google_dns_record_set: 2
+ google_dns_managed_zone_iam_binding: 1
diff --git a/tests/modules/dns/examples/public-zone.yaml b/tests/modules/dns/examples/public-zone.yaml
index 0f8067a764..904d347e8d 100644
--- a/tests/modules/dns/examples/public-zone.yaml
+++ b/tests/modules/dns/examples/public-zone.yaml
@@ -32,7 +32,8 @@ counts:
google_dns_keys: 1
google_dns_managed_zone: 1
google_dns_record_set: 1
+ google_dns_managed_zone_iam_binding: 1
modules: 1
- resources: 3
+ resources: 4
outputs: {}